Longest prefix match lookup using hash function

ABSTRACT

A method and apparatus are used for finding the longest prefix match in a variable length prefix search when searching a direct table within a routing table structure of a network processor. The search through the routing table structure is expedited by hashing a first segment of an internet protocol address with a virtual private network number followed by concatenating the unhashed bits of the IP address to the result of the hash operation to form an input key. Patterns are compared a bit at a time until an exact match or the best match is found. The search is conducted in a search tree that provides that the matching results will be the best possible match.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of application Ser. No. 10/879,964,filed Jun. 29, 2004, which is continuation-in-part of application Ser.No. 09/544,992, filed Apr. 6, 2000, for LONGEST PREFIX MATCH (LPM)SEARCH ALGORITHM IMPLEMENTATION FOR A NETWORK PROCESSOR, now U.S. Pat.No. 6,947,931, issued Sep. 20, 2005.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to computer networking structures and systems,particularly those that relate to the use of a hash function for thelook up of an internet protocol (IP) address. More particularly, theinvention relates to pattern matching algorithms using a longest prefixmatch algorithm and implemented in a network processing device.

2. Discussion of Related Art

Glossary of Terms and Abbreviations

The following terms and abbreviations shall have the meanings as setforth below unless clearly contra-indicated elsewhere in the body of thespecification.

-   -   ASIC application specific integrated circuit    -   DRAM dynamic random access memory    -   DT direct-mapped table    -   FCB frame control block    -   FCBA frame control block address    -   FM fixed match    -   Gbps gigabit per second    -   HW half word (i.e.16 bits)    -   IBP implied bit position    -   IP internet protocol    -   IP DA internet protocol destination address    -   LCBA leaf control block address—pointer to a specific route        entry in routing table    -   LPM longest prefix match    -   NBT next bit to test    -   NP network processor    -   NPA next pattern address (link in Patricia tree chain)    -   NPC network processor complex    -   Patricia Practical Algorithm to Receive Information coded in        Alphanumeric    -   PSCB pattern search control block    -   SRAM static random access memory    -   TSE tree search engine    -   VLAN virtual local area network    -   VPN virtual private network

Network processors (NPs) are finding widespread use in rapid frameprocessing and forwarding capability with function flexibility through aset of embedded, programmable protocol processors and complementarysystem coprocessors. Network processors offer real-time processing ofmultiple data streams, providing enhanced security and IP packethandling and forwarding capabilities. In addition, they provide speedimprovements for advanced architectures, such as parallel distributedprocessing and pipeline processing designs. These capabilities canenable efficient search engines, increased data handling throughput, andthey provide rapid execution of complex tasks. The programmable featuresof network processors provide network product developers with an easiermigration path to implement new protocols and technologies without therequirement of creating new ASIC designs.

Network processors provide a highly customizable, scalable technologyfor the development of interconnecting solutions for internet orenterprise network providers. An NP provides spaces for a wide range ofsolutions for low-end, stand-alone devices to large multi-rackinstallations. Scaling of this nature is accomplished through the use ofhigh-performance, non-blocking packet routing switch technology andproprietary interfaces which can be adapted to other industry switchtechnologies.

As a programmable communications integrated circuit, the networkprocessor provides very efficient packet classification, multi-tablelookups per frame, a packet classification queue/policy management, andother packet managing capabilities. The network processor integrates aswitching engine, search engine, frame processors and Ethernet MACs onone device to support the needs of users who require high capabilitymedia weight switching frames based on frame content at any protocollayer.

Hardware accelerators perform frame forwarding, frame filtering andframe alteration. The network processor's ability to enforce hundreds ofrules with complex range and action specifications sets a new benchmarkfor filtering capabilities, making a network processor-based systemuniquely suited for high capacity server farm applications.

A typical system developed with a network processor uses a distributedsoftware model, with each programmable network processor executing tasksconcurrently. Some functions are performed in a control point processor,which can be internal or external to the network processor. The controlpoint processor provides support for layer 2 and layer 3 routingprotocols, and layer 4 and layer 5 network applications and systemsmanagement. Wire speed forwarding and filtering functions are performedby a combination of the network processor hardware and resident picocode.

In communication networks, comprising a number of interconnecting nodes,data can be sent from one node to any other node or network. Specializednodes called routers are responsible for forwarding the data to theirdestinations. Any data sent through a communication network containsinformation about the destination address, generally as part of aheader. Each router compares this information, or at least part of it,with a list of addresses stored internally. If a match is found betweenthe stored addresses and the destination address, the router establishesa path leading to the destination node. Depending on the network sizeand structure, the data are either forwarded directly to theirdestination or are sent to another intermediate router. The ISO(International Organization for Standardization) developed a routingstandard that provides for a router to store routing information forpartial addresses. The router then sends the packet to the best matchingpartial address it has in its database. This standard allows ahierarchical structure of nodes to be built using a given number ofdigits or given header length. Main routers are addressed by the initialpart of the address, sub-routers by the middle part, and the finaldestination by the last digits of the address. Therefore, it issufficient for any router to read the digits assigned to the level ofthe hierarchy to which the data are to be sent.

The routing of the receive packet is based on the accompanying addressstring. The address string is used as the search key in a database whichcontains the address string along with other pertinent details, such aswhich router is next in a delivery of a packet. The database is referredto as the routing table while the link between the current router andthe next router is called the next hop in the progress of the packet.The routing table search process depends on the structure of the addressas well as the organization of the tables. For example, a search key ofany size less than 8 bits and having a non hierarchical structure willmost efficiently be found in a routing table organized as a series ofaddress entries. The search key would be used as an index table tolocate the right entry. For a search key of a larger size, for example32 bits, the corresponding routing table may have more than 10,000entries. Organizing the database as a simple table to be searcheddirectly by an index would waste a large amount of memory space, becausemost of the table would remain empty.

Conventional routers break up the search process into several steps. Thefirst step is to determine whether the router is directly connected tothe destination host computer. In this case, the message is one hop fromthe destination and should be routed in that direction. If thedestination computer is not directly connected to the router, the nextstep is to determine the topological direction of the destinationnetwork. If the direction is determined from the topological layout, themessage is routed that way. Otherwise, the final step is to route themessage along a default link.

Typically, the first step is performed using a linear search to a tablecontaining the 32 bit addresses of host computers directly connected tothe router. Reflecting the local topology, each entry in the addresstable is connected to a corresponding output interface leading directlyto the addressed computer. When a destination address is received by arouter, the full 32 bits are compared with each of the destinationaddresses in a table. If a match is found, the message is sent directlyto the corresponding destination via the specified router interface.

The second step, that of determining the direction of the destinationnetwork, is not usually performed by a linear search through a tablesince the number of network addresses would make such a table difficultto manage and use. In the prior art, routers typically perform thedetermination using one of several well-known techniques, such ashashing, Patricia tree searching, and multilevel search. In hashing, ahash function reduces the network portion of the address, producing asmall manageable index. The hashing index is used to index a hash tableand to search for a matching hash entry. Corresponding to each hashentry of the hash table is the address of an output interface pointingin the topological direction of the corresponding network. If a match isfound between the hash network portion and a hash entry, the message isdirected toward the corresponding interface and destination network.

Hashing reduces a large, unmanageable field to a small manageable index.In the process, however, there is a chance that two or more fields maygenerate the same hash index. This occurrence is referred to as acollision, since these fields must be stored in the same location in thehash table. Further searching is needed to differentiate the entriesduring a collision. Therefore collisions reduce the efficiency obtainedfrom using the hashing search and, in the worst case, where allpermissible addresses reduce to a single index, hashing is renderedpractically useless as a search process. The hash process also typicallymakes it difficult to distinguish among multiple prefix length tableentries that all match the same search key.

Patricia tree searching avoids the collisions encountered by hashingmethods. This type of search requires that all address strings andaccompanying information, such as related router information, be storedin a binary tree. Starting from the most significant bit position withinthe address string, the search process compares the address, bit by bit,with the tree nodes. A match bit value guides the search to visit eitherthe left or the right child node and the process is repeated for thenext bit address. The search time is proportional to the size of thelongest address string stored. In Patricia tree searching, thedifference between the average search time and worst case search time isnot significant. In addition, the routing table is organized quiteefficiently. It requires less memory than comparable routing tables ofhashing methods. Patricia tree searching handles the worst-case searchtime better than the hashing methods but, in most cases, takessignificantly longer to locate a match. Therefore, many conventionalrouters use a combination of hashing and Patricia tree searching. Thiscombination is called multi level searching.

Multilevel searching joins hashing with Patricia tree searching. A cachestores a hash table containing a subset of the most recently, andpresumably most commonly, routed network addresses, while a Patriciatree stores the full set of network addresses. As a message is received,the destination address is hashed onto the table. If it is not locatedwithin a predetermined period of time, the address is passed to thePatricia tree search engine which insures that the address, if stored,will be found.

There are a number of known tree search algorithms including fixed matchtrees, longest prefix match trees, and software managed trees. Fixedmatch trees are used for fixed size patterns requiring an exact match,such as layer 2 Ethernet MAC tables. Longest prefix match trees are usedfor variable length patterns requiring only partial matches, such as IPsubnet forwarding. Software managed trees are used for patterns that aredefined as ranges or bit masks, such as filter rules. In general, lookupis performed with the aid of these tree search engines (TSEs).

High speed internet routers require the ability to efficiently look upinternet protocol (IP) addresses. There are a variety of techniques forachieving this function, including binary search on multiple levelsinvolving the use of multiple hashes for each input key or address.Other techniques use a cryptographic hashing function in conjunctionwith an IP address. Still others use a hashed radix tree method for IProute look up. Yet another approach is the use of the hashing functionto generate the host identification portion of the IP address. Anothermethod retrieves and hashes header information.

Virtual private networks (VPNs) have become popular and convenient meansfor protecting intra-entity communications that are transmitted over theinternet. With a VPN, organizations can connect their remote branchoffices, project teams, business partners and e-customers into a centralnetwork. These VPNs are fast becoming an important part of thenetworking infrastructure, and provide many of the benefits of adedicated private network without the costs associated with a dedicatednetwork. They utilize a combination of techniques for handling datapackets which are being sent among members of the entity. The techniquesinclude various combinations of compression, encryption andauthentication, the rules of which may vary for members of differentgroups within the entity. Routers are being challenged to manage theseVPNs on top of the public internet infrastructure.

U.S. Pat. No. 6,212,183 describes the use of a hash function to thefirst part of an IP address. Accessing routing information in anetworking system uses multiple fields to characterize an input packet.It looks for a match in all fields to identify appropriate routinginformation. This patent depends on a hash table being large enough thatthere are no collisions. In other words, if 16 bits of the IP address isused as the first part, the hash table must contain 2¹⁶ entries.Alternatively, a smaller hash table can be used if a perfect hash isused that would avoid collisions. The patent does not disclose amechanism to deal with collisions. Furthermore, no VPN functionality ismentioned.

U.S. Pat. No. 6,308,220 describes a method of accessing routinginformation in a networking system using the bandwidth of embeddedmemory to enable brute force comparison of an IP address to all entriesin a routing table. However, the method of achieving access lacks thefeatures of the present invention.

U.S. Pat. No. 6,223,172 relates to a method of accessing routinginformation in a networking system using an interactive process,starting with one mask length. The length of the mask is adjusted by onebit for each step. All routes of a given prefix length share a commontable. However, the methodology is different than that of the presentinvention.

U.S. Pat. No. 6,675,163 B1 describes a full match search structure andmethod for finding a full match between a search pattern and a patternstored in a leaf of a search tree.

The article entitled “Using Multiple Hash Functions to Improve IPLookups” by A. Broder and M. Mitzenmacher appearing in IEEE INFOCOM 2001describes the use of a hash function to a longest prefix match (LPM)routing table search. The method depends on a separate hash for eachpossible prefix length. The search structure is constructed to avoidcollisions. It does not include VPN functionality.

Research Report n443 3-2001 #117, p. 456, describes a hybridization of alongest prefix match lookup and a fixed match lookup. It uses a hashfunction in the first part of an IP address and relies on the tediousstep of comparing all matching entries from a hash table to resolvecollisions. It does not include VPN functionality.

SUMMARY OF THE INVENTION

In view of the long search-times resulting from existing VPN routingtable structures, it is an object of the current invention to provide aVPN routing table structure with search performance approaching that ofa routing table structure without VPN support.

Another aspect of the subject invention is an optimization to the searchengine that interprets the significant bit to test each entry in a table(hereinafter referred to as a direct table) as 16+N.

Still another aspect of the subject invention is to hash the firstsegment of the IP address with the VPN number. This reduces the numberof PSCBs that must be processed during a search since the hash is ableto better distribute the combination of the VPN/partial IP addressacross entries in the direct table that are not used for a direct map ofthe partial IP address. Note that the remaining segment of the IPaddress must not be hashed in order to preserve the longest prefix matchcharacteristic required by routing tables.

These and other objects and advantages are achieved with a system and amethod using hardware or a computer readable program for determining alongest prefix match for a variable length search key by a computerprocessing device. The method involves the acts of reading an IPdestination address, reading a VPN number, and performing a hash on theN most significant bits of the IP destination address and the VPN numberto form an input key. The input key is then used as an index into atable representing a plurality of root nodes of search trees whereineach non-empty entry in the table contains a pointer to a next branch inthe search tree or a leaf. The table preferably contains 2^(N) entries.A determination is made as to whether the pointer in a non-empty tableentry points to a leaf or to a next branch of the corresponding searchtree. The next branch contents are read if the pointer does not point tothe leaf of the corresponding search tree, and the prefix represented bythe next branch is compared with the input key to find a distinguishingbit position. When the leaf of a corresponding search tree is reached,the leaf pattern is compared with the input key to determine if the leafpattern matches the input key. Finally, the longest prefix match foundfor the input key is returned to a requesting application. The contentsof the next branch of the corresponding search tree points either toanother next branch or to a leaf of the corresponding search tree. Theleaf may represent a partial prefix match of the input key. The searchfor the longest prefix match is terminated when the bit number of thenext branch exceeds the length of the input key.

The invention also relates to a method of conducting a search through avirtual private network routing table structure through at least onesearch tree. The search involves mapping a first segment of an internetprotocol destination address with a virtual private network number toform a search key and, thereafter, inputting the search key into adirect table within the routing table structure wherein the direct tablerepresents a plurality of root nodes of search trees. Then, the longestprefix match for a variable length search key is determined. The methodincludes the steps required to insert or delete a route into or out ofthe routing table structure.

The invention also relates to an article of manufacture comprising acomputer usable medium having a computer readable program embodied insaid medium. The program, when executed on a computer, causes thecomputer to conduct a search through a virtual private network routingtable structure. Utilizing the steps of hashing a first segment of aninternet protocol destination address with a virtual private networknumber, a search is conducted through a direct table in the routingstructure. If a match is not found within the table, then the key iswalked through a tree search structure until the longest prefix match isachieved. The medium includes a lookup definition table that manages atree search memory. The lookup definition table resides in a pluralityof memories and comprises entries that define a physical memory that thetree resides in, a size of the key and leaf, and a type of search to beperformed. A format for a direct table entry includes at least onepattern search control block; a next pattern address that points to anext pattern search control block; a leaf control block address thatpoints to a leaf or result; a next bit or bits to test, and a directleaf. A leaf data structure includes at least one of a leaf chainingpointer, a prefix length, a pattern to be compared to the search key,and variable user data. The direct leaf is stored directly in a directtable entry and includes a search control block and a pattern to becompared to a search key. A pattern search control block is inserted inthe search tree at a position where the leaf patterns differ, and has ashape defined by a width of one and a height of one, and is stored in amemory that has a line length of at least 64 bits. Alternatively, thepattern search control block can have a shape defined by a width of oneand a height of two, and is stored in a memory of at least 36 bits.

The computer readable medium contains a program product for determininga longest prefix match for a variable length search key. The productcontains program instructions that read an IP destination address and aVPN number as a search string. It likewise contains program instructionsthat perform a hash on the N most significant bits of the IP destinationaddress and the VPN number to form an input key. Program instructionsuse the N most significant bits of the input key as an index into atable representing a plurality of root nodes of search trees whereineach non-empty entry contains a pointer to a next branch in the searchtree or a leaf. Program instructions determine if the pointer in anon-empty table entry points to a leaf or a next branch of thecorresponding search tree. If the pointer does not point to the leaf ofthe corresponding search tree, the next branch contents are read and theprefix represented by the next branch is compared with the input key tofind a distinguishing bit position. The program instructions read a leafpattern when the leaf of a corresponding search tree is reached, andcompare the leaf pattern with the input key to determine if the leafpattern matches the input key. Finally, the program instructions returnthe longest prefix match found for the input key to the requestingapplication.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will now be described with specific reference tothe drawings in which:

FIG. 1 illustrates a tree data structure for an exact match searchalgorithm wherein a VPN identification field is combined with a hashedsearch key;

FIG. 2 illustrates the effect on exemplary data structures of using adirect table;

FIG. 3 illustrates an exemplary structure of a direct table entry andpattern search control block line formats in a longest prefix matchsearch tree;

FIG. 4 illustrates a prior art example of a search using a longestprefix match search;

FIG. 5 is basic longest prefix match routing table structure of theprior art;

FIG. 6 is another longest prefix match routing table structure using avirtual private network;

FIG. 7 shows a basic search key preparation process that is applied tothe routing table of FIG. 6;

FIG. 8 illustrates an enhanced search key preparation process that isapplied to the routing table of FIG. 6 in accordance with a preferredembodiment of the present invention;

FIG. 9 shows a floppy disc, indicative of a computer-readable medium forcarrying out the steps of the present invention.

DETAILED DISCUSSION OF THE INVENTION

The subject invention relates to hashing the first segment of the IPaddress with the VPN number. Note that the remaining segment of the IPaddress must not be hashed in order to preserve the longest prefix matchcharacteristic required by routing tables. This reduces the number ofPSCBs that must be processed during a search since the hash shouldbetter distribute the combination of the VPN/partial IP address acrossDT entries that are not used for a direct map of the partial IP address.

The tree search engine (TSE) uses the concept of trees to store andretrieve information. Retrieval, i.e., tree-searches as well as insertsand deletes, are done based on a key which is a bit-pattern such as, forexample, a MAC source address, or the concatenation of an IP sourceaddress and an IP destination address. An exemplary tree data structure100 that can be modified for use in the present invention is depicted inFIG. 1. Information is stored in a control block called a leaf 116, 118,120, 122, which contains at least the key 102 (the stored bit pattern isactually the hashed key 106). A leaf can also contain additionalinformation, such as aging information, or user information, which canbe forwarding information, such as target blade and target port numbers.The format of a leaf is defined by stored program code; the object isplaced into an internal or external control store.

The search algorithm for trees operates on input parameters includingthe key 102, performs a hash 104 on the key, accesses a direct table(DT) 108, walks the tree through pattern search control blocks (PSCBs)110,112, 114 and ends up at a leaf 116, 118, 120, 122. Each type of treehas its own search algorithm causing the tree-walk to occur according todifferent rules. For example, for longest prefix match (LPM) trees, thedata structure is an extension to a Patricia tree. When a leaf has beenfound, this leaf is the only possible candidate that can match the inputkey 102. A “compare at the end” operation compares the input key 102with the pattern stored in the leaf. This verifies if the leaf reallymatches the input key 102. The result of this search will be success(OK) when the leaf has been found and a match has occurred, or failure(KO) in all other cases.

The input to a search operation contains the following parameters:

-   -   Key: The 176 bit key must be built using special code        instructions prior to the search or insert/delete. There is only        one key register. However, after the tree search has started,        the key register can be used by the code to build the key for        the next search concurrently with the TSE 70 performing the        search. This is because the TSE 70 hashes the key and stores the        result in an internal hashed key register 106.    -   Key length: This 8 bit register contains the key length minus        one bit. It is automatically updated by the hardware during the        building of the key.    -   Look up definition index: This is an 8 bit index into the lookup        definition table which contains a full definition of the tree in        which the search occurs.    -   Tree search result: These results can be stored either in 1 bit        tree search result areas TSR0 or TSR1. While the TSE is        searching, the picocode can access the other TSR to analyze the        results of a previous search.    -   VPN number: For trees which have VPN number enabled, the        contents of a 16 bit VPN number register 124 is inserted in the        key during the hash operation.

For LPM trees, the input key will be hashed into a hashed key 106.Typically, no hash function is performed on the input key for LPM trees,and the hashed output equals the input key. The hash algorithm(including no hash for LPM trees) that will be used is specified in thelookup definition table.

The lookup definition table is the main structure which manages treesearch memory. The table is an internal memory structure and contains128 entries for creating trees. The table contains entries that definethe physical memory the tree exists in (e.g., DRAM, SRAM, internal RAM),whether caching is enabled, the size of the key and leaf, and the typeof search action to perform. The table is implemented as three separaterandom access memories—one RAM that is accessible only by the generalprocessor tree handler and two RAMs that are duplicates of each otherand are accessible by all processors.

The output of the hash function 104 is a 176 bit number which has theproperty that there is a one-to-one correspondence between the originalinput key 102 and the output of the hash function 104. As will beexplained below, this property minimizes the depth of the tree thatstarts after the direct table 108.

If the VPN numbers are enabled for the tree, the 16 bit VPN numberregister 124 is inserted in the 176 bit hash function output and thefile result is a 192 bit number, called the hashed key 106. Theinsertion occurs directly after the direct table 108. If the directtable 108 contains 2^(N) entries, then the 16 bit value is inserted atbit position N. The output of the hash function, together with theinserted bit value, is stored in the hashed key register 106. If thenumbers are disabled for a tree, the 176 bit hash function is takenunmodified, and 16 zeros are appended to the hash output to produce the192 bit final hashed key.

VPN numbers can be used to share a single direct table 108 amongmultiple independent trees. For example, one use of a VPN number couldbe a VLAN ID in a MAC source address (SA) table. In this case, the inputkey 102 would be the MAC SA, and the VPN number 124 would be the VLAN ID(since the VLAN ID is 12 bits, four bits of the VPN number would beunused, i.e., set to zero). After the hash function 104, the patternused is 48+16=64 bits. The VPN number is now part of the pattern andwill distinguish between MAC addresses of different VLANs.

The hash function 104 is defined such that most entropy in its outputresides in the highest bits. The N highest bits of the hashed keyregister 106 are used to calculate an index into the direct table (DT)108.

To achieve storage as well as search efficiency, this invention makesuse of the following data structures: 1. pattern/key that needs to besearched; 2. direct table (DT) entry; 3. pattern search control block(PSCB); and 4. leaf.

A DT entry is the first address location based on the first “n” bits ofthe key. It includes a combination of five parts. A DT entry either hasa shape defined by a width of one and a height of one, or a width of oneand a height of two, as described further below. A PSCB entry representsan intermediate node location. A leaf entry is the address location forthe search result.

A PSCB represents a branch in the tree. In the preferred embodiment,there is an 0-branch and a 1-branch. The number of branches emanatingfrom a PSCB is variable depending on the number of bits used todesignate the branches. If n bits are used, then 2n branches are definedat that PSCB. Each PSCB is also associated with a bit position p. Allleaves that can be reached from the PSCB through the 0-branch have a ‘0’at position p in the pattern, and the leaves that can be reached throughthe 1-branch have a ‘1’ at position p. Furthermore, all leaves that canbe reached from a PSCB will always have patterns at which bits 0 . . .p−1 are identical, i.e., the patterns start to differ at position p. Thebit position associated with a PSCB is stored in the previous PSCB or ina DT entry and is called the NBT (i.e., next bit to test).

Thus, PSCBs are only inserted in the tree at positions where multipleleaf patterns have not yet been differentiated. This allows efficientsearch operations since the number of PSCBs, and thus the searchperformance, depends only on the number of leaves in a tree and not onthe length of the patterns.

The formats for a DT and a PSCB entry are identical and include thefollowing parts: 1. Format: 2 bits. 2. NPA (next pattern address):points to the next PSCB address. 3. LCBA (leaf control block address):points to the leaf/result. 4. NBT (next bit or bits to test) . . . canbe next pair or group “x” (x = 1 or n)bits to test. The number of bits to be tested is determined based on thestorage efficiency, etc.

Each entry in this exemplary implementation is 36 bits wide and containsone of four possible currently defined entries.

1. Empty DT Entry: SCB=00 and NPA=0 and the LCBA/NBT are not valid, or

2. The NPA/NBT is valid but the LCBA is not valid: SCB=00 andNPA=non-zero and NBT is valid. The LCBA can be zero or non-zero. For aDT entry, NPA points to the first intermediate node and the NBT pointsto the bit or bits to be tested. In the case of a PSCB entry, the NPApoints to other nodes in the trail.

3. The LCBA is valid and the NPA/NBT is valid: SCB=01 and NPA/NBT/LCBAis non-zero. The LCBA points to an associated leaf address, i.e., searchresult. The NPA points to the next PSCB address and the NBT points tothe test bit or bits.

4. The LCBA is valid and the NPA/NBT is not valid: SCB=01 and NPA=zero.LCBA points to an associated leaf address, i.e., a search result. Itindicates the end node.

With regard to memory allocation, LPM PSCBs have the same structure asLPM DT entries except that they always consist of two entries. Thesepairs or groups of addresses are allocated consecutively in memory, oneof which is selected depending on whether a bit of the search key testedat the previous level of the tree is a “1” or “0”.

The format of a leaf in an LPM tree contains control informationincluding a pattern. The pattern identifies the leaf as unique in thetree. A leaf also contains the data needed by the application thatinitiated the tree search. The data contained in a leaf is applicationdependent and its size or memory requirements are defined by the lookupdefinition table entry for the tree.

The high level algorithm flow for the longest prefix match search is asfollows:

1. Read the DT entry.

-   -   a. if NBT>0, then read the next PSCB and store the LCBA and the        previous NBT in the stack (if LCBA is present); select the first        or second half of a subsequent PSCB depending on the results of        testing bit NBT in the search key.    -   b. if NBT=0, then read the leaf at the LCBA and go to the leaf        evaluation step;    -   c. if NBT is not valid and the LCBA is not present; return KO,        i.e., failure for the search result and completion flag as done.

2. Repeat step 1 for each subsequent PSCB in the chain.

3. Leaf evaluation: compare the pattern (key) and the pattern stored inthe leaf and compute the mismatch point.

-   -   a. compare the value of the mismatch point with the NBT field        within the stack and read the corresponding leaf (i.e., the        LCBA) with the closest matching NBT and return with OK        (success);    -   b. if all the NBTs are greater than mismatch point, return the        result with KO (failure) since no matching leaf/subnet was        found.

The bit/register width values described herein are exemplary and can bechanged to different values to optimize the available memories,performance requirements, etc.

The search starts with an access into the direct table 108, i.e., a DTentry is read from the direct table 108. The address used to read the DTentry is calculated from the N highest bits of the hashed key inregister 106, as well as on tree-properties as defined in the lookupdefinition table. The DT entry can be seen as the root of a tree. Theactual tree data structure depends on the tree-type. Extensions to aPatricia tree data structure are used for LPM trees.

An example of the use of an eight entry DT 108 is shown in FIG. 2. Itcan be seen that the search time, i.e., the number of PSCBs that must beaccessed, can be reduced by using a DT 108. Thus, by increasing the DTsize, a trade-off can be made between memory usage and searchperformance.

After a DT entry has been read and assuming the DT entry does notcontain a direct leaf nor is it empty, the search continues by walkingthe tree that starts at the DT entry. The tree-walk may pass severalpattern search control blocks until a leaf has been reached.

When a PSCB is encountered during a search in an LPM tree, the treesearch engine hardware will continue the tree-walk on the 0-branch orthe 1-branch, depending on the value of the bit p of the Hashed key.

A lookup task using an LPM employs a library of binary patterns calledprefixes, each having a length from 1 to N. A search occurs when a newpattern having a length X equal to, or greater than, N is presented. Thesearch consists of finding the longest prefix (if any) which has all ofits bits identical to the highest order bits of X. The search can beconducted in a tree structure, such as a Patricia tree, wherein one or afew bits of X are tested at each tree. Alternatively, a contentaddressable memory (CAM) search can be conducted using selected bits ofX in one step.

FIG. 7 illustrates a basic search key preparation process that isapplied to the routing table of FIG. 6 enabling resolution of the first16 bits of the IP address in a direct-mapped table (DT), and usesPatricia tree structures to resolve cases where multiple routescorrelate to a common entry in the DT. The DT is used to resolve thefirst 16 bits of an IP address. Prefixes of longer prefixes (nestedprefixes) are also included in this routing table structure. Thisrouting table structure supports multiple VPNs within the same table.The VPN is identified by N bits (typically 12 bits) that must becompletely resolved via additional Patricia tree decision elements orpattern search control blocks prior to resolving the second half of theIP address. Unfortunately, this approach results in longer routing tablesearch times due to the additional PSCBs that must be resolved. Evenwhen a single VPN correlates to a specific first 16 bits, if a 16 bitroute is required in the routing table, it requires at least one PSCB toinsure the VPN matches. Prefixes shorter than 16 bits are resolved in asecond DT in which the VPN number is concatenated with the first fewbits of the IP address, followed by chains of PSCBs to completelyresolve short routes.

The process applied to a search key in accordance with the subjectinvention is illustrated in FIG. 8. Yet another aspect of the subjectinvention is an optimization to the search engine that interprets thesignificant bit to test each DT entry as 16+N. This enables a singleroute to be connected directly to a DT entry without requiring a PSCB todefine its distinguishing bit position. Likewise, this feature enables a16 bit prefix of a longer prefix to be connected directly to a DT entryas long as all routes correlating to this DT entry are members of thesame VPN. Thus, any search can be validated for this route as long asthe first 16+N bits compare successfully between the search key and thepattern in the leaf. The net result is that the enhanced hashed directtable will completely resolve both the first 16 bits of the route andthe VPN number, resulting in a search performance equal to that of abasic routing table illustrated in FIG. 1. There will certainly be a fewDT entries that require additional PSCBs, but these cases will onlyresult in a minor reduction in search performance. The subject inventionassumes short routes are resolved using previously disclosedimplementations that are beyond the scope of the subject invention.

Referring again to FIG. 8, the search key is formed exactly the same wayas previously used, with the VPN number loaded as the VPN numberparameter of the search. Rather than resolving the VPN number via PSCBs,the subject invention applies a random hash to the combination of theVPN number and the first segment of the IP address. The result of thehash is used as an offset from a DT base address to index into thedirect table. If a given DT entry correlates to a single VPN, it ispossible to point directly from the DT entry to a route in the table.The implied bit position (for IPV4) of the DT entry is 16+N (e.g.16+12=28).

Thus, if a 16 bit prefix of longer prefixes is pointed to directly fromthe DT, the search engine must be enhanced to identify this route withbit position 28 to insure the longest prefix match process completes asdesired. If multiple VPN numbers correlate to the same DT entry, noroutes can be connected to the DT, and one or more PSCBs must completelyresolve sub-trees to the extent that each is restricted to contain onlyroutes from a single VPN. PSCB chains are constructed in accordance withpreviously disclosed methods relating to fixed match or exact matchsearch trees. The last PSCB used to resolve the VPN and first 16 bitsuniquely must use the 28th bit (e.g. for IPV4) as its test bit to insurethe hashed part of the search key is resolved exactly prior toprocessing the second segment of the IP address. This may require oneadditional PSCB in the chain just to identify the required bit position,but may suggest an optimization to the standard method of building PSCBchain structures to choose the 28th bit as the final distinguishing bitposition, rather than some previous bit position that could equallydistinguish two patterns.

The dynamic route insertion/deletion process for a routing table inaccordance with the subject invention must also be modified to maintainthe desired table structure.

According to the present invention, the following insertion policy shallbe employed:

-   -   Determine DT entry correlating to new route.    -   If DT entry is empty, add directly to DT.    -   If distinguishing bit position is greater than bit 28 (this VPN        already has other routes at this DT entry), insert normally.    -   If distinguishing bit position is bit 28 or less (new VPN for        this DT entry)        -   If first PSCB in place is greater than bit 28, add PSCB to            resolve new VPN from existing VPN.            -   Use bit 28 if distinguishing.            -   Otherwise, use first distinguishing bit. Then add PSCB                at bit 28 for each VPN        -   If first PSCB in place is less than bit 28 (multiple VPNs            already in place)            -   Use bit 28 if distinguishing.            -   Otherwise, use first distinguishing bit. Then add PSCB                at bit 28 for new VPN (others should already have it).                Likewise, a deletion policy involves the following                steps:    -   Determine DT entry correlating to route to be deleted.    -   If route to be deleted is at the DT entry, delete the route from        the DT normally.    -   If distinguishing bit position is greater than bit 28 (this VPN        has other routes at this DT entry), delete normally.    -   If distinguishing bit position is bit 28, or if next PSCB is        with only one choice at bit 28 (other VPNs for this DT entry)        -   If no previous PSCBs (only one other VPN)            -   Remove PSCBs            -   Use DT entry to point directly        -   If one or more previous PSCBs in place (multiple other VPNs)            -   Remove PSCB normally    -   If distinguishing bit position has one or more subsequent PSCBs        prior to the PSCB at bit 28 (more than 1 VPN left)        -   Remove PSCB normally.

The method of the subject invention results in faster search performancesince it is able to resolve most, if not all, VPN distinctions with asingle DT access rather than requiring multiple PSCBs. The invention canalso use a larger direct table, further reducing the number of PSCBsrequired.

The invention has been described specifically within the context of IPV4(i.e. 32 bit IP address) and VPN applications. However, it should beobvious to those skilled in the art that these concepts could beextended to other applications in which the longest prefix match (LPM)search characteristic can be limited to only part of the search key. Forexample, with IPV6, potentially an even longer first segment of the IPaddress could be hashed if the LPM characteristic were limited to thelast segment of each address.

FIG. 9 shows a computer-readable medium in the form of a floppy disc 900for containing the software implementation of the program to carry outthe various steps of project management according to the presentinvention. Other machine readable storage mediums are fixed hard drives,optical discs, magnetic tapes, semiconductor memories, such as read-onlymemories (ROMs), programmable (PROMs), etc. The article containing thiscomputer readable code is utilized by executing the code directly fromthe storage device, or by copying the code from one storage device toanother storage device, or by transmitting the code on a network forremote execution. The computer program may be loaded into the memory toconfigure and to run the program herein described and claimed forexecution. The computer program comprises instructions which, when readand executed by the system, perform the steps necessary to execute thesteps or elements of the present invention.

The present invention can be realized in hardware, software, or acombination of the two. Any kind of computer system or other apparatusadapted for carrying out the methods described herein is suited. Atypical combination of hardware and software could be a general purposecomputer system that, when loaded and executed, controls the computersystem such that it carries out the methods described herein. Thepresent invention can also be embedded in a computer program product,which comprises all the features enabling the implementation of themethods described herein, and which, when loaded in a computer system,is able to carry out these methods.

Computer program instructions or computer program in the present contextmean any expression, in any language, code (i.e., code instructions) ornotation, of a set of instructions intended to cause a system having aninformation processing capability to perform a particular functioneither directly or after either or both of the following occur: a)conversion to another language, code or notation; b) reproduction in adifferent material form.

While the invention has been described in combination with specificembodiments thereof, there are many alternatives, modifications, andvariations that are likewise deemed to be within the scope thereof.Accordingly, the invention is intended to embrace all such alternatives,modifications and variations as fall within the spirit and scope of theappended claims.

1. A computer system including a computer processing device having thecapability of conducting a search, responsive to a request, through avirtual private network routing table, involving the steps of: a)forming a search key by hashing a first segment of an internet protocol(IP) destination address with a virtual private network (VPN) number andconcatenating the remaining segment of the internet protocol address; b)inputting the hashed portion of the search key into a routing tablerepresenting nodes of search trees; c) determining the longest prefixmatch for the search key within the routing table; and d) performing theadditional step of returning the longest prefix match to the requester.2. The computer system according to claim 1 wherein the processingdevice is capable of performing the hash on the n most significant bitsof the IP destination address and the VPN number and concatenating theremaining least significant bits of the IP destination address to theresult of the hash operation to form the search key.
 3. The systemaccording to claim 2 further including the ability to use the hashedportion of the search key as an index into the routing table, whereineach non-empty node in the table contains a pointer to the next branchin a tree or to a leaf having a distinctive pattern.
 4. The systemaccording to claim 3 further having the capability of comparing a leafpattern with the search key to determine if the leaf pattern matches thehashed portion of the search key.
 5. The system according to claim 3further having the capability to terminate the search for the longestprefix match when the bit number of the next branch exceeds the lengthof the search key.
 6. The system according to claim 1 wherein the stepscan be carried out using hardware, or software, or a combination ofboth.
 7. A method of determining a longest prefix match for a variablelength search key by conducting a search through a virtual privatenetwork (VPN) routing table structure for at least one search tree,comprising: hashing the N most significant bits of an internet protocol(IP) destination address with a virtual private network number, andconcatenating the remaining least significant bits of the IP destinationaddress to the result of the hash operation to form a search key;inputting the hashed portion of the search key into a direct tablewithin the routing table structure wherein the direct table represents aplurality of root nodes of search trees; to thereby determine thelongest prefix match.
 8. The method according to claim 7 whereininsertion of a route into the direct table structure comprises the stepsof: determining the direct table entry correlating to new route; if thedirect table entry is empty, adding the entry directly to direct table;if the distinguishing bit position is greater than bit 28, insertnormally; if the distinguishing bit position is bit 28 or less: if thefirst PSCB in place is greater than bit 28, add PSCB to resolve new VPNfrom existing VPN; use bit 28 if distinguishing; otherwise, use firstdistinguishing bit, then add PSCB at bit 28 for each VPN; if the firstPSCB in place is less than bit 28 (multiple VPNs already in place) usebit 28 if distinguishing; otherwise, use first distinguishing bit andthen add PSCB at bit 28 for new VPN.
 9. The method according to claim 7wherein the deletion of a route into the direct table comprises thesteps of: determining the direct table entry correlating to route to bedeleted; if the route to be deleted is at the direct table entry, deletethe route from the direct table normally; if the distinguishing bitposition is greater than bit 28, delete normally; if the distinguishingbit position is bit 28, or if next PSCB is with only one choice at bit28; if no previous PSCBs in place remove the PSCB, and use direct tableentry to point directly; if at least one previous PSCBs in place removethe PSCB normally; if the distinguishing bit position has one or moresubsequent PSCBs prior to the PSCB at bit 28, remove the PSCB normally.10. A computer readable medium containing a plurality of data structuresfor finding a longest prefix match for a variable length search key,comprising: a pattern or key that is to be searched; a direct table thatstores a first address location for a search tree; a plurality ofpattern search control blocks that each represent a branch in the searchtree; and a plurality of leaves wherein each leaf is an address locationfor the result of a search.
 11. The computer readable medium of claim 10further comprising a lookup definition table that manages a tree searchmemory.
 12. The computer readable medium of claim 11 wherein the lookupdefinition table comprises entries that define a physical memory thatthe tree resides in, a size of the key and leaf, and a type of search tobe performed.
 13. The computer readable medium of claim 10 wherein thelookup definition table is implemented in a plurality of memories. 14.The computer readable medium of claim 10 wherein a format for a directtable entry includes at least one search control block; a next patternaddress that points to a next pattern search control block; a leafcontrol block address that points to a leaf or result; a next bit orbits to test; and a direct leaf.
 15. The computer readable medium ofclaim 10 wherein a format for a pattern search control block includes atleast one of a search control block; a next pattern address that pointto a next pattern search control block; a leaf control block addressthat points to a leaf or result; and a next bit or bits to test.
 16. Thecomputer readable medium of claim 10 wherein a leaf data structureincludes at least one of a leaf chaining pointer; a prefix length; apattern to be compared to the search key; and variable user data. 17.The computer readable medium of claim 14 wherein the direct leaf isstored directly in a direct table entry and includes a search controlblock and a pattern to be compared to a search key.
 18. The computerreadable medium of claim 10 wherein a pattern search control block isinserted in the search tree at a position where the leaf patternsdiffer.
 19. The computer readable medium of claim 10 wherein a patternsearch control block has a shape defined by a width of one and a heightof one and is stored in a memory that has a line length of at least 64bits.
 20. The computer readable medium of claim 10 wherein a patternsearch control block has a shape defined by a width of one and a heightof two and is stored in a memory of at least 36 bits.
 21. The computerreadable medium of claim 10, containing a program product fordetermining a longest prefix match for a variable length search key,comprising: program instructions that read an IP destination address anda VPN number as a search string; program instructions that perform ahash on the N most significant bits of the IP destination address andthe VPN number to form an input key; program instructions that use the Nmost significant bits of the input key as an index into a tablerepresenting a plurality of root nodes of search trees wherein eachnon-empty entry contains a pointer to a next branch in the search treeor a leaf; program instructions that determine if the pointer in anon-empty table entry points to a leaf or a next branch of thecorresponding search tree; program instructions that read the nextbranch contents if the pointer does not point to the leaf of thecorresponding search tree and compare the prefix represented by the nextbranch with the input key to find a distinguishing bit position; programinstructions that read a leaf pattern when the leaf of a correspondingsearch tree is reached and compare the leaf pattern with the input keyto determine if the leaf pattern matches the input key; and programinstructions that return the longest prefix match found for the inputkey to the requesting application.